Oko: Open vSwitch Extensions with BPF

Getting the best of Flow Table and Code-based approaches to network programmability

The widely adopted Open vSwitch implements the OpenFlow forwarding model. Its simple match-action abstraction eases network management, while providing enough flexibility to define complex forwarding pipelines. OpenFlow, however, cannot express the many packets processing algorithms required for traffic measurement, network security, or congestion diagnosis because it lacks a persistent state and basic arithmetic and logic operations.

This talk presents Oko, an extension of Open vSwitch with support for BPF actions. We implemented a first userspace prototype over Open vSwitch-DPDK. Our userspace BPF VM relies on the ubpf project, extended with a rudimentary verifier and support for persistent data structures (BPF's maps).

We compare the performance of our prototype for several packet processing applications with a second setup in which applications run as secondary DPDK processes exchanging packets with Open vSwitch over a shared memory (zero-copy DPDK Ring Port setup). Our Oko setup offers a near 2x performance improvement over this alternative setup.